From f365663e86fd06075bd5fe2d30bab0a64dc27b18 Mon Sep 17 00:00:00 2001
From: Guvenc Gulce <guvenc@linux.ibm.com>
Date: Fri, 16 Jul 2021 09:54:03 +0200
Subject: [PATCH 1/3] smc-tools: stats: Fix memory overread in
 is_data_consistent()

Fix memory overread in is_data_consistent() and merge_cache()
functions.

Signed-off-by: Guvenc Gulce <guvenc@linux.ibm.com>
---
 README.md |  1 +
 stats.c   | 13 +++++++------
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 2397475..5047f62 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,7 @@ Release History:
     - `smc_run`: Add various command-line switches
 
     Bug fixes:
+    - `smcd`/`smcr`: stats: Fix memory overread in is_data_consistent()
     - `smc_chk`: Remove 'EXPERIMENTAL' flag
     - `smc_chk`: Improve cleanup
     - `smc_chk`: Start server with intended port
diff --git a/stats.c b/stats.c
index 2a00e42..d3a814f 100644
--- a/stats.c
+++ b/stats.c
@@ -900,7 +900,7 @@ static int is_data_consistent ()
 		cache++;
 	}
 
-	size_fback = size + 2 * SMC_MAX_FBACK_RSN_CNT;
+	size_fback = 2 * SMC_MAX_FBACK_RSN_CNT;
 	kern_fbck = (struct smc_stats_fback *)&smc_rsn;
 	for (i = 0; i < size_fback; i++) {
 		val_err = kern_fbck->fback_code;
@@ -924,8 +924,8 @@ static int is_data_consistent ()
 static void merge_cache ()
 {
 	int size, i, size_fback, val_err, cache_cnt;
+	struct smc_stats_fback *kern_fbck;
 	__u64 *kernel, *cache;
-	int *kern_fbck;
 
 	if (!is_data_consistent()) {
 		unlink(cache_file_path);
@@ -938,15 +938,16 @@ static void merge_cache ()
 	for (i = 0; i < size; i++)
 		*(kernel++) -=  *(cache++);
 
-	size_fback = size + 2 * SMC_MAX_FBACK_RSN_CNT;
-	kern_fbck = (int *)&smc_rsn;
+	size_fback = 2 * SMC_MAX_FBACK_RSN_CNT;
+	kern_fbck = (struct smc_stats_fback *)&smc_rsn;
 	for (i = 0; i < size_fback; i++) {
-		val_err = *(kern_fbck++);
+		val_err = kern_fbck->fback_code;
 		if (i < SMC_MAX_FBACK_RSN_CNT)
 			cache_cnt = get_fback_err_cache_count(smc_rsn_c.srv, val_err);
 		else
 			cache_cnt = get_fback_err_cache_count(smc_rsn_c.clnt, val_err);
-		*(kern_fbck++) -= cache_cnt;
+		kern_fbck->count -= cache_cnt;
+		kern_fbck++;
 	}
 
 	smc_rsn.srv_fback_cnt -= smc_rsn_c.srv_fback_cnt;
-- 
2.25.1